Environment
- Carbon Black Cloud Sensor: 3.8
- Microsoft Windows 10
Symptoms
- Alert for process says it was blocked due to policy deny
- Cloud (Initial) reptuation shows --
- Cloud (Current) reputation shows TRUSTED_WHITE_LIST
- Block / alert occurred around sensor startup
- Policy settings include "Delay execute on cloud scan"
- Policy rule to block Unknown application or process > Invokes an untrusted process.
Cause
The sensor tries to get the processs' reputation via cloud, but is unable to due to network issues. When this happens, the reputation will not be available and the process will be blocked
Resolution
Once the device has network connections, the process reputation should update so future runs won't be blocked
Additional Notes
Resolving network issues on the device is outside the scope of Carbon Black Support and should be investigated with network / system administrators